b'  Office of Inspector General\n\n  Report of Audit\n\n\n\n\n    SECURITY OF SCIENCE AND\nECOSYSTEMS SUPPORT DIVISION (SESD)\n   LOCAL AREA NETWORK (LAN)\n\n              SEPTEMBER 30, 1997\n\n       Audit Report E1NMF7-15-0001-7100309\n\x0cInspector General Division\n Conducting the Audit:       ADP Audits and\n                              Assistance Staff\n\nRegion Covered:              Region 4\n\nProgram Offices Involved:    Athens Laboratory\n\x0c                                                            Security of SESD Local Area Network\n\n\n              Security of SESD Local Area Network (LAN)1\n                         Report No. E1NMF7-15-0001-7100309\n\n\nOur audit determined that the Science and Ecosystems Support Division (SESD) in Athens,\nGeorgia, did not have a security plan or backup/disaster recovery plan. Audit results also disclosed\nthat SESD management plans to place non-LAN administrative personnel in the room where the\nLAN\xe2\x80\x99s file servers and telecommunication wiring reside. In addition, there were no formal\nprocedures for overall LAN maintenance or standard operating procedures for daily routines, such\nas granting and terminating access, making backup tapes, etc. Management was unaware of the\nAgency guidelines and requirements concerning plans and procedures, prior to the recent receipt of\nAgency-issued guidance. Lack of plans and procedures could lead to unauthorized disclosure or\nmanipulation of sensitive Agency data. Finally, we noted that there were a number of Novell server\nsettings and configuration irregularities which need to be corrected.\n\n\nPURPOSE\n\nThe objectives of this audit were to: 1) test the physical, security, and detective controls over the\nSESD LAN, especially those controls involving physical and logical access; 2) verify the adequacy\nof controls relative to the backup and recovery of the SESD file servers; and 3) verify that adequate\npolicy, procedures and administrative controls exist relative to SESD LAN management.\n\n\nBACKGROUND\n\nSESD LAN\n\nSESD is located in the Regional laboratory in Athens, Georgia. The SESD LAN consists of 2 file\nservers. These file servers connect with the backbone for the 10 local area networks serving the\nfollowing Divisions and Offices: Environmental Accountability Division, Waste Management\nDivision, Water Management Division, Science & Ecosystem Support Division, Air Pesticides,\nToxics Management Division, and the Offices of Policy & Management, Congressional Affairs, and\nPublic Affairs.\n\n\n\n       1\n               A data communication network operating over a limited geographical area,\ntypically within a building or group of buildings.\n\n                                                 1\n\n                                                           Report No. E1NMF7-15-0001-7100309\n\x0c                                                            Security of SESD Local Area Network\n\n\nLAN Management\n\nThe majority of EPA\xe2\x80\x99s employees are connected to local and Agency applications and data through\nLANs and the value-added backbone services. The Enterprise Technical Services Division\xe2\x80\x99s (ETSD)\nLANSYS group is responsible for maintenance of the backbone servers, the backbone software, and\nthe backbone wiring throughout EPA. However, each individual LAN is managed locally by the\nprogram office it serves.\n\nETSD requires adherence to EPA\xe2\x80\x99s security standards in order for a LAN to be connected to an\nAgency facility backbone and to obtain ETSD support. However, these are minimum security\nstandards and it is ultimately left up to local management and LAN System Administrators to design\nand implement security for their LAN. The degree of security needed at a LAN site will vary with\nthe type of data processed and the physical security afforded by the facility. Each LAN must comply\nwith the security standards listed in Section 6 of NDPD Operational Directive No. 310.09. These\nstandards state the minimum levels of security which must be implemented and maintained.\nCompliance with these security policies is a prerequisite for connection to the Agency backbone and\nfor support by ETSD. Failure to comply with these policies will result in disconnection of a LAN\nfrom the Agency internetwork and removal of ETSD support.\n\nCurrently, there are approximately 300 LANs within EPA, supporting an estimated 14,000\nworkstations. Within a few years, it is projected that all Agency employees will be connected by a\nLAN. Furthermore, it is an ETSD goal to move toward \xe2\x80\x98workgroup computing\xe2\x80\x99 (i.e., everyone uses\nthe same hardware and software in the same way) and eventually to \xe2\x80\x98Enterprise LANs\xe2\x80\x99 where data\ncan be distributed, collected, processed and accessed throughout the Agency.\n\nAs the number of new LAN installations increases, so does the number of programs and quantity of\ndata stored on these LANs. Microcomputers or Personal Computers (PCs) pose numerous security\nissues by themselves, but the task of securing these resources is even more difficult when work group\nPCs are connected to form LANs in order to share resources. Any one work group LAN may be\nadequately self-contained and have a LAN System Administrator. Once these separate LANs are\nconnected via a facility-wide backbone, physical access among work groups is granted. Therefore,\nwith the increased number of access points, security becomes a larger issue for all users and LAN\nSystem Administrators.\n\n\nSCOPE AND METHODOLOGY\n\nThe primary focus of this audit was to evaluate the security of the Region 4\xe2\x80\x99s LANs. Field work was\nconducted from January 1997 through March 1997, at SESD in Athens, Georgia. We conducted this\n\n\n                                                 2\n\n                                                           Report No. E1NMF7-15-0001-7100309\n\x0c                                                             Security of SESD Local Area Network\n\n\naudit in accordance with Government Auditing Standards (1994 revision) issued by the Comptroller\nGeneral of the United States. We reviewed the procedures for granting access to the SESD LAN,\nand requested and reviewed applicable system documentation. In addition, we performed a security\n\xe2\x80\x9cwalkthrough\xe2\x80\x9d and discussed security considerations and requirements with responsible SESD LAN\nrepresentatives. Finally, we evaluated the compliance of LAN settings and configuration with\nestablished Agency information security policies and standards, federal regulations and industry\nstandards using the Enterprise Security Manager (ESM) software. For further details on the ESM\nsoftware, see Appendix II.\n\n\nPRIOR AUDIT COVERAGE\n\nThere has not been any prior audit coverage relating to security controls affecting SESD LANs.\n\n\nCRITERIA\n\nFederal and Agency guidelines, as well as industry publications, were used to form a framework of\nprudent, stable business practices and therefore served as a means to evaluate LAN security.\nProvided below is a summary of the criteria used during this review. References to other published\nguidelines are specified throughout the report.\n\nComputer Security Act of 1987 (P.L.100-235)\n\nThe Computer Security Act of 1987 creates a means for establishing minimum acceptable security\npractices for such systems, without limiting the scope of security measures already planned or in use.\nThe Computer Security Act requires the establishment of security plans by all operators of Federal\ncomputer systems that contain sensitive information. The Act also requires mandatory periodic\ntraining for all persons involved in management, use, or operation of Federal computer systems that\ncontain sensitive information.\n\nThe Act assigns to the National Institute of Standards and Technology (formerly the National Bureau\nof Standards) responsibility for developing standards and guidelines for Federal computer systems.\nThis responsibility includes developing standards and guidelines needed to assure the cost-effective\nsecurity and privacy of sensitive information in Federal computer systems, drawing on the technical\nadvice and assistance (including work products) of the National Security Agency, where appropriate.\nAlso, this Act provides for the promulgation of such standards and guidelines.\n\n\n\n\n                                                  3\n\n                                                           Report No. E1NMF7-15-0001-7100309\n\x0c                                                              Security of SESD Local Area Network\n\n\nOffice of Management and Budget (OMB) Circular A-130\n\nOMB A-130 mandates that reviews should assure that management, operational, personnel, and\ntechnical controls are functioning effectively. Security controls may be reviewed by an independent\naudit or a self review. The type and rigor of review/audit should be commensurate with the\nacceptable level of risk which is established in the rules for the system, as well as the likelihood of\nlearning useful information to improve security. Technical tools such as virus scanners, vulnerability\nassessment products (which look for known security problems, configuration errors, and the\ninstallation of the latest patches), and penetration testing can assist in the on-going review of\ndifferent facets of systems. However, these tools are no substitute for a formal management review\nat least every three years. Indeed, for some high-risk systems with rapidly changing technology,\nthree years will be too long.\n\nDepending upon the risk and magnitude of harm which could result, weaknesses identified during\nthe review of security controls should be reported as deficiencies in accordance with OMB Circular\nNo. A-123, "Management Accountability and Control" and the \xe2\x80\x9cFederal Managers\' Financial\nIntegrity Act\xe2\x80\x9d (FMFIA). In particular, if a basic management control such as assignment of\nresponsibility, a workable security plan, or management authorization are missing, then\nconsideration should be given to identifying a deficiency.\n\nLocal Area Network Operational Procedures and Standards (LOPS)\n\nThe Local Area Network Operational Procedures and Standards (LOPS) describes the minimum, or\nbaseline, standards required for all EPA LANs. These procedures provide a reference for LAN\nimplementation and operation within the Agency\xe2\x80\x99s standardized framework.\n\nEPA Information Security Manual (ISM)\n\nThis manual provides the necessary direction to implement Federal regulations concerning\ninformation security, and outlines the specific procedures and requirements necessary to ensure\nadequate protection of all EPA information systems. The manual addresses both manual and\nautomated information systems. The security concepts, roles and responsibilities, apply to both\nmanual and automated systems. The manual serves as a baseline for EPA organizations and\npersonnel to measure and determine whether 1) the information they are using is being protected\nadequately, and 2) their organization is in compliance with all requirements of the Agency\xe2\x80\x99s\nInformation Security Policy.\n\nThe ISM applies to all EPA organizations and their employees. It also applies to the facilities and\npersonnel of EPA\xe2\x80\x99s agents (including contractors) who are involved in designing, developing,\noperating, maintaining, or accessing Agency information and information systems.\n\n                                                  4\n\n                                                            Report No. E1NMF7-15-0001-7100309\n\x0c                                                               Security of SESD Local Area Network\n\n\n\nSESD NEEDS A LAN DISASTER RECOVERY PLAN\n\nSESD does not have a disaster recovery plan for their LAN. In the event of a disaster, critical\ninformation would be lost and management would have a difficult time restoring the LAN to pre-\ndisaster condition. SESD management was unaware of Agency requirements for a formal disaster\nrecovery plan. A disaster scenario is any likely event that has a chance of occurring and if it occurs\nhas the potential for significantly interrupting normal business processing. These events include\nfires, severe thunderstorms, floods, tornados, and hurricanes.\n\nOperations continuity deals with the notion that a business should be able to survive and continue\noperations even if a disastrous event occurs. Rigorous planning and commitment of resources are\nnecessary to adequately plan for such an event. Contingency planning is the primary responsibility\nof senior management as they are entrusted with the safeguarding of both the program information\nand viability of the program office to perform its duties.\n\nAll of the SESD file servers are located in one room within the Athens laboratory. A disaster need\nonly to occur to that particular room to be considered a disaster for the Athens facility. In the event\nthat the file server room should experience a disaster, such as fire or another form of natural disaster,\nthe Athens facility would be unable to institute a timely disaster recovery process. Responsible\npersonnel would have to create information on how to get systems restored after the disaster, thereby\nincreasing restoration time.\n\nDuring a disaster an adequate disaster recovery plan is of upmost importance. It lends organized\nplans to what can sometimes be a chaotic situation. An adequate disaster recovery plan should\ninclude but is not limited to the following:\n\n        C       Notification\n                Procedures for notifying relevant managers in the event of a disaster. Typically, this\n                includes a contact list of home and emergency telephone numbers.\n\n        C       Disaster Declaration\n                Procedures pertaining to the assessment of damage following a disaster, criteria for\n                determining whether the situation constitutes disaster, and procedures for declaring\n                a disaster and invoking the plan.\n\n\n\n\n                                                   5\n\n                                                             Report No. E1NMF7-15-0001-7100309\n\x0c                                                            Security of SESD Local Area Network\n\n\n       C       Systems Recovery\n               Procedures to be followed to restore critical and vital systems at emergency service\n               levels within a specified time frame, in accordance with the systems recovery strategy\n               defined in the plan.\n\n       C       User Recovery\n               Procedures for recovering critical and vital user functions within a specified time\n               frame in accordance with the planned strategy. This includes documenting\n               instructions for processing data manually, even though the data may previously have\n               been processed via an automated system. Even if the manual procedure was the\n               standard at one time, continued knowledge of such procedures should not be\n               assumed. This is especially true as tenured employees who may have once performed\n               manual procedures may transfer or retire, and manual documentation and forms can\n               be destroyed or misplaced.\n\n\nSECURELY STORE BACKUP FILES OFF-SITE\n\nTaped file backups are not securely stored off-site. Although facility personnel back up data files\nmanually on a periodic basis, the backups are kept in the LAN administrator\xe2\x80\x99s home, an EPA\ncontractor. The NDPD Operational Directives Manual No. 310.05, entitled LAN Data Management,\nrequires that LAN administrators perform backups and store the backups securely off-site. The off-\nsite location needs to be as safely secured and controlled as the originating site. This includes\nadequate physical access controls such as locked doors, no windows, and human surveillance. This\nrequirement is especially critical for sensitive Agency data. The SESD LAN administrator stated\nhe was unaware of Agency backup data storage requirements.\n\nIn addition, the SESD facility does not have formal policies and procedures to perform backup and\noff-site storage of Agency data. Currently, an experienced LAN administrator performs regularly\nscheduled backups. However, formal policies and procedures should be established to ensure that\nany appointed personnel could perform the necessary procedures to back up data.\n\n\nSESD NEEDS A FORMAL LAN SECURITY POLICY AND\nMAINTENANCE AND OPERATING PROCEDURES\n\nSESD Needs A LAN Security Plan\n\nSESD does not have a LAN security plan as required by OMB A-130. In addition, SESD did not\nreport incomplete security documentation as a control weakness in their fiscal 1996 Federal\n\n                                                 6\n\n                                                          Report No. E1NMF7-15-0001-7100309\n\x0c                                                             Security of SESD Local Area Network\n\n\nManager\xe2\x80\x99s Financial Integrity Act (FMFIA) Assurance Letter. SESD was unaware of the OMB\nCircular A-130 requirement. Management security policies document the standards of compliance.\nSecurity policies should state the position of the organization with regard to all security risks, and\nshould also identify who is responsible for safeguarding organization assets, including programs and\ndata. Without an adequate LAN security plan employees are unable to provide adequate protection\nagainst violators.\n\nOMB Circular A-130 requires that management approve security plans at least every three years\nthrough the OMB Circular A-123 process. In addition, it specifies that security control weaknesses\nbe reported as part of the Agency\xe2\x80\x99s OMB Circular A-123 annual review process. The Information\nResources Management Security Program is relying on the managers of the individual sites and\nprogram offices to implement these IRM security requirements or to report information security\nweaknesses as part of the OMB Circular A-123 process.\n\nOMB Circular A-130 is entitled \xe2\x80\x9cManagement of Federal Information Resources.\xe2\x80\x9d Appendix III of\nthis Circular is entitled \xe2\x80\x9cSecurity of Federal Automated Information Systems.\xe2\x80\x9d This appendix details\nthe required policy and guidance agencies must provide to ensure that automated systems have\nadequate security programs and documentation. It establishes a minimum set of controls to be\nincluded in Federal automated information security programs; assigns Federal agency responsibilities\nfor the security of automated information; and links agency automated information security programs\nand agency management control systems established in accordance with OMB Circular A-123. The\nAppendix revises procedures formerly contained in Appendix III to OMB Circular A-130 (50 FR\n52730; December 24, 1985), and incorporates requirements of the Computer Security Act of 1987\n(P.L.100-235) and responsibilities assigned in applicable national security directives.\n\nOMB Circular A-130 also requires the development of a security plan and provides guidance\nregarding the content of an adequate security plan. Key components of such a security plan include\nthe following:\n\n       -       Management support and commitment;\n       -       Access philosophy;\n       -       Access authorization;\n       -       Reviews of access authorization;\n       -       Security awareness;\n       -       A defined role for the security administrator;\n       -       Security committee; and\n       -       Hardware and software inventory control.\n\n\n\n\n                                                  7\n\n                                                           Report No. E1NMF7-15-0001-7100309\n\x0c                                                            Security of SESD Local Area Network\n\n\nNo Desk Procedures for LAN Administrator\n\nThere are no \xe2\x80\x9cdesk\xe2\x80\x9d procedures for backup or new LAN administrative personnel to follow in the\nevent that the primary LAN administrator is unable to perform his/her duties. SESD attributed the\nnon-existence of procedures to conflicting priorities. These standard operating procedures should\ninclude granting and terminating access to the SESD file servers, making backup tapes, contingency\nplans, troubleshooting the LANs, and general computer security administration matters. If the\nprimary LAN administrator is not available, other LAN administrative staff may have to assume their\nduties. Without written procedures to guide the replacements, the SESD LAN could be left\nvulnerable, especially in the event of a disaster.\n\nNo Maintenance Plan For SESD LAN\n\nThere is no maintenance plan for SESD LANs. Consequently, there is no regularly scheduled LAN\nmaintenance. For example, according to the LAN administrator, account maintenance is performed\nas other duties permit. Regular maintenance is essential to maintain the integrity and continuity of\nthe SESD LAN. SESD attributed the non-existence of policies and procedures to conflicting\npriorities and scarce resources. Currently, SESD retains a contractor who functions as the SESD\nLAN administrator to manage two file servers. A lack of policies and procedures could lead to\ninconsistent application of settings and loss of accountability.\n\n\nPROPOSED SEATING ARRANGEMENTS PLACE EMPLOYEES\nIN THE LAN ROOM\n\nSESD laboratory management plans to place program employees in the same room where the LAN\nfile servers are located. If these employees are situated in this room, the file servers will\nbe exposed to non-LAN administrative personnel. This arrangement would create physical and\nenvironmental exposures which could result in loss of credibility and accountability. Discussions\nwith management identified spacing constraints as the cause for this potential weakness.\n\nAccess and environmental controls provide for confidentiality, integrity, protection, and managed\navailability of computer facilities and systems. These controls reduce the risk of adverse business\nconditions due to computer malfunction, data or software failure, or abuse of responsibilities, while\nstill providing computerized information and resources for the people who need them. These\ncontrols must address both human and natural threats to the computer system. Exposures to the\nSESD LAN that exist from accidental or intentional violation of these physical and environmental\ncontrols include the following:\n\n\n\n                                                 8\n\n                                                           Report No. E1NMF7-15-0001-7100309\n\x0c                                                               Security of SESD Local Area Network\n\n\n        -       Damage to equipment and property;\n        -       Vandalism to equipment and property;\n        -       Theft of equipment and property;\n        -       Copying or viewing of sensitive information;\n        -       Alteration of sensitive equipment and information; and\n        -       Public disclosure of sensitive information.\n\nAnyone in the room housing the LAN would have access to the servers. The servers could be\naccidentally or intentionally unplugged or damaged. Also, since the on\\off switch is accessible, the\nservers could simply be turned off. Another concern stems from the fact that the file servers boot\nup from the \xe2\x80\x9cA drive.\xe2\x80\x9d Therefore, a person can switch off the file server and then bring it back up\nafter placing a diskette into the A drive. A diskette containing batch2 files with unauthorized\ninstructions for the file server could be run once the system reboots. Also, a knowledgeable person\ncould introduce a virus through the A drive.\n\nThe file servers must be secured so that they are not exposed to employees who do not require\naccess. If they are not properly secured, the file servers will be vulnerable to accidental or intentional\ndamage and\\or loss of data.\n\n\nLAN SETTINGS ARE NOT IN ACCORDANCE WITH AGENCY\nSTANDARDS AND INDUSTRY GUIDANCE\n\nSome of the SESD LAN account settings are not in compliance with the Agency\xe2\x80\x99s LOPS manual and\nbest industry practices. We determined, through the use of Enterprise Security Manager (ESM)\nsoftware and discussions with responsible officials, that the SESD LAN does not follow all of the\nguidelines set forth in the Agency\xe2\x80\x99s LOPS manual. This could leave the SESD LAN vulnerable to\nsecurity breaches from hacker attacks within and outside the Agency. Discussions with SESD\nrepresentatives determined that they were unaware of required Agency LAN settings.\n\nESM is a client/server product which reports on the status of the existing client operating system,\nin terms of security compliance to a set of standards. ESM designed the client to be installed on all\nsupported multi-user operating systems to improve network security. Host (Agency) security\nstandards are used as the benchmark for evaluating security. The ESM software consists of a\nmanager and an agent component designed to collect and report security relevant data (e.g., password\nlength required by the system, potential security vulnerabilities, etc.) for an entire enterprise from\na central location. We provided further details on the ESM product in Appendix II.\n\n\n        2\n                The processing of a group of related transactions at planned intervals.\n\n                                                    9\n\n                                                             Report No. E1NMF7-15-0001-7100309\n\x0c                                                          Security of SESD Local Area Network\n\n\n\nDue to the nature of the vulnerabilities noted, we decided to present them in a table format. The\nfollowing table summarizes the vulnerabilities and potential effects on the SESD LAN, as\ndetermined by ESM:\n\n                       Table has been redacted due to sensitive nature\n\nRECOMMENDATIONS\n\nWe recommend that the Director of SESD:\n\n1.      Develop a disaster recovery plan for the SESD LAN.\n\n2.      Ensure that Agency data backups are securely stored off-site.\n\n3.      Establish formal policies and procedures to ensure that any appointed personnel could\n        perform the necessary procedures to back up data.\n\n4.      Develop a security plan which addresses the full complement of OMB Circular A-130\n        requirements. In addition, the Director should report the absence of a security plan as a\n        \xe2\x80\x9cmaterial weakness\xe2\x80\x9d in subsequent FMFIA Assurance Letters, until the plan is completed.\n\n5.      Establish a formal maintenance plan for the SESD LAN. This plan should include, but\n        is not limited to, software installation, hardware upgrades, and capacity management.\n        Regular maintenance is essential to maintain the integrity and continuity of the SESD\n        LAN.\n\n6.      Establish and maintain desk procedures for backup or new LAN administrative personnel\n        to follow in the event that the primary LAN administrators are unable to perform his/her\n        duties.\n\n7.      Ensure that LAN file servers are not exposed to employees who do not specifically require\n        physical access to them.\n\n8.      Based on the conditions identified, adjust the Novell NetWare settings on the SESD LAN\n        to comply with Agency and industry guidance.\n\n\nAGENCY COMMENTS AND OIG EVALUATION\n\n\n                                               10\n\n                                                         Report No. E1NMF7-15-0001-7100309\n\x0c                                                        Security of SESD Local Area Network\n\n\nIn a memorandum dated August 19, 1997, the Director of Region 4\'s Science and Ecosystems\nSupport Division (SESD) responded to our draft report (See Appendix I). In summary, SESD\nmanagement agreed with all eight of our recommendations.\n\nSESD management agreed to develop a disaster recovery plan based upon the one being created\nfor the Region IV LANs in Atlanta, Georgia. Management officials also agreed to store data\nbackups off-site at the SESD Field Equipment Center by September 1, 1997. SESD management\nwill also establish policies, by October 1, 1997, to ensure that any appointed personnel could\nperform the necessary procedures to back up data.\n\nIn addition, SESD staff will work with Region IV\'s Information Management Branch and their\nInformation Security Officer to develop a security plan. SESD management also agreed to\nproduce a maintenance plan based upon the one developed by Region IV. Furthermore, SESD\nstaff will formulate an initial draft of standard operating procedures for SESD LAN\nadministrators by November 1, 1997. SESD management also agreed to limit access to the room\nwhich houses the LAN file servers and telecommunication wiring. They will contact the General\nServices Administration regarding the installation of a wall and locked door to separate the\ncomputer equipment from the staff work area. Finally, using the Enterprise Security Manager\nsoftware to provide needed details, SESD will adjust their LAN settings to comply with Agency\nLAN security policies.\n\nWe concur with SESD\xe2\x80\x99s response to our recommendations and will evaluate their corrective\nactions during our follow-up review.\n\n\n\n\n                                             11\n\n                                                       Report No. E1NMF7-15-0001-7100309\n\x0c      Security of SESD Local Area Network\n\n                            APPENDIX I\n                            Page 1 of 5\n\n\n\n\n.\n\n\n\n\n12\n\n     Report No. E1NMF7-15-0001-7100309\n\x0c      Security of SESD Local Area Network\n\n                            APPENDIX I\n                            Page 2 of 5\n\n\n\n\n13\n\n     Report No. E1NMF7-15-0001-7100309\n\x0c      Security of SESD Local Area Network\n\n                            APPENDIX I\n                            Page 3 of 5\n\n\n\n\n14\n\n     Report No. E1NMF7-15-0001-7100309\n\x0c      Security of SESD Local Area Network\n\n                            APPENDIX I\n                            Page 4 of 5\n\n\n\n\n15\n\n     Report No. E1NMF7-15-0001-7100309\n\x0c      Security of SESD Local Area Network\n\n                            APPENDIX I\n                            Page 5 of 5\n\n\n\n\n16\n\n     Report No. E1NMF7-15-0001-7100309\n\x0c                       Security of SESD Local Area Network\n\n\n\n\nTHIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                17\n\n                      Report No. E1NMF7-15-0001-7100309\n\x0c                                                            Security of SESD Local Area Network\n\n                                                                                     APPENDIX II\n                                                                                     Page 1 of 2\n\n\n                      ENTERPRISE SECURITY MANAGER (ESM)\n\n\nEnterprise Security Manager (ESM) is a client/server product which reports on the status of the\nexisting client operating system in terms of security compliance to a set of standards. Axent\nTechnologies designed the client to be installed on all supported multi-user operating systems to\nimprove network security. Host (Agency) security standards are used as the benchmark for\nevaluating security.\n\nThe ESM software consists of a manager and an agent component designed to collect and report\nsecurity relevant data (e.g., password length required by the system, potential security\nvulnerabilities, etc.) for an entire enterprise from a central location. The manager provides control\nover global functions (e.g., report scheduling, report generation, etc.) that are independent of ADP\narchitecture and operating system (e.g., SUN/Solaris). The agent portion is specific to the\nparticular operating system architecture and provides the basic function of data collection for\nreporting to the manager. The data collected and reported is stored on the manager system,\nalleviating storage constraints on the agent system. Agents exist as \xe2\x80\x9cprocesses\xe2\x80\x9c on VMS systems,\nas \xe2\x80\x9cdaemons \xe2\x80\x9c (owned by root) executing on UNIX systems, and as \xe2\x80\x9cNLMs \xe2\x80\x9c on Novell servers.\nAn NLM enhances or provides additional server functions in a server running Netware Version 3.\nA graphical user interface is provided by ESM through which manager/agent functions can be\ncontrolled.\n\nA manager can be installed on any system type currently supported by ESM (e.g., UNIX,\nNETWARE, VMS, etc.) and can service multiple agent systems (e.g., a NETWARE server with\na manager can service agents on UNIX, Netware, and VMS systems). Alternately, separate\nmanagers can be used for each architecture (e.g., NETWARE servicing NETWARE, UNIX\nservicing UNIX, etc.), although this approach is more expensive than one manager servicing\nmultiple architectures.\n\nThe ESM architecture provides for security of manager/agent communication through a password.\nThe password is supplied when the agent is installed and when the manager is invoked for\ncommunication with the agent. Since the agents are owned by the operating system (e.g., executes\nas a daemon owned by root on UNIX systems), privileged access to the system on which the agent\nis installed is not required by the user invoking the manager component. Privileged system\noperation by the user invoking the ESM manager is disallowed and prevented. This properly\nsegregates the role of system administrator from that of the person conducting a review of system\nsecurity through use of the ESM software.\n\n                                                 18\n\n                                                           Report No. E1NMF7-15-0001-7100309\n\x0c                                                             Security of SESD Local Area Network\n\n                                                                                      APPENDIX II\n                                                                                      Page 2 of 2\n\n\n\nFurther segregation of administrator/security reviewer roles can be achieved when using ESM. For\nexample, agents can be registered to (controlled by) more than one manager component. Each\nmanager component can be invoked by different personnel to achieve personnel backups, or to\nprovide use of the product by both a security reviewer and a system administrator. In addition, a\nmanager can be designated as a super manager. Therefore, installing a manager component in each\nEPA region would allow each region its own detailed use of ESM. The designation of an ETSD\nsuper manager would allow ETSD\xe2\x80\x99s Security Staff to receive only summary data from each\nregional manager for the purposes of statistical or other reporting. The specific installed\nconfiguration is determined by the site installing the product, and will be driven by availability of\nresources and expertise, funding, political concerns, etc.\n\n\n\n\n                                                 19\n\n                                                           Report No. E1NMF7-15-0001-7100309\n\x0c                                        Security of SESD Local Area Network\n\n                                                             APPENDIX III\n\n\n                      GLOSSARY\n\n\nDOS     -   Disk Operation System\n\nESM     -   Enterprise System Manager\n\nETSD    -   Enterprise Technology Services Division (formerly NDPD)\n\nFMFIA   -   Federal Managers\xe2\x80\x99 Financial Integrity Act\n\nLAN     -   Local Area Network\n\nLOPS    -   LAN Operational Procedures and Standards\n\nNDPD    -   National Data Processing Division (See ETSD)\n\nNLMs    -   Network Loading Modules\n\nOMB     -   Office of Management and Budget\n\nSESD    -   Science and Ecosystems Support Division\n\n\n\n\n                            20\n\n                                     Report No. E1NMF7-15-0001-7100309\n\x0c                       Security of SESD Local Area Network\n\n\n\n\nTHIS PAGE INTENTIONALLY LEFT BLANK\n\n\n\n\n                21\n\n                      Report No. E1NMF7-15-0001-7100309\n\x0c                                                        Security of SESD Local Area Network\n\n                                                                            APPENDIX IV\n\n\n                               REPORT DISTRIBUTION\n\n\nOffice of Inspector General\n\n Acting Inspector General (2410)\n\n Assistant Inspector General for Audit (2421)\n\n Principal Deputy Assistant Inspector General for Audit (2421)\n\n Deputy Assistant Inspector General for Internal Audits (2421)\n\nEPA Headquarters\n\n Agency Audit Followup Official (3101)\n  Attn: Assistant Administrator for Administration and Resources Management\n\n Agency Audit Followup Coordinator (2710)\n  Attn: Audit Management Team\n\n EPA HQs Library\n\nAthens, Georgia\n\n Director, Science and Ecosystems Support Division\n\nRegion IV\n\n Chief, Information Management Branch\n  Attn: Office of Policy and Management\n\n Chief, Grants, IAG and Audit Management Section\n\n\n\n\n                                             22\n\n                                                      Report No. E1NMF7-15-0001-7100309\n\x0c'